Before Stuxnet, Refahiye pipeline blast in Turkey opened new cyberwar era

Jordan Robertson and Michael Riley

Washington: The pipeline was outfitted with sensors and cameras to monitor every step of its 1770 kilometres through Azerbaijan, Georgia and Turkey to the Mediterranean. Yet the blast that blew it out of commission didn't trigger a single distress signal.

That was bewildering, as was the cameras' failure to capture the combustion in eastern Turkey. But investigators shared their findings within a tight circle. The Turkish government publicly blamed a malfunction, Kurdish separatists claimed credit, and BPhad the line running again in three weeks. The explosion that lit the night sky over Refahiye, a town known for its honey farms, seemed to be forgotten.

Revealed as a cyber attack: Firemen struggle to extinguish the fire at the Baku-Tbilisi-Ceyhan pipeline near the eastern Turkish city of Erzincan on August 7, 2008. Photo: Reuters

It wasn't. For western intelligence agencies, the blowout was a watershed event. Hackers had shut down alarms, cut off communications and super-pressurised the crude oil in the line, according to four people familiar with the incident who asked not to be identified because details of the investigation are confidential.

The main weapon at valve station 30 on August 5, 2008, was a keyboard.

The revelation "rewrites the history of cyberwar", said Derek Reveron, a professor of national security affairs at the US Naval War College in Newport, Rhode Island.

Countries have been laying the groundwork for cyberwar operations for years, and companies have been hit recently with digital broadsides bearing hallmarks of government sponsorship. Sony's network was raided by hackers believed to be aligned with North Korea, and sources have said JPMorgan Chase & Co blamed an August assault on Russian cyberspies. Security researchers just uncovered what they said was a campaign by Iranian hackers that targeted commercial airlines, looking for vulnerabilities that could be used in physical attacks.

Advertisement

The Refahiye explosion occurred two years before Stuxnet, the computer worm that in 2010 crippled Iran's nuclear-enrichment program, widely believed to have been deployed by Israel and the US. It turns out the Baku-Tbilisi-Ceyhan pipeline hackers were ahead of them. The chief suspect, according to US intelligence officials, is Russia.

The sabotage of the BTC line - which follows a route through the former Soviet Union that the US mapped out over Russian objections - marked another chapter in the belligerent energy politics of Eurasia. Days after the explosion, Russian fighter jets dropped bombs near the line in neighbouring Georgia. Alexander Dugin, an influential advocate of Russian expansionism and at the time an adviser to the Russian parliament, was quoted in a Turkish newspaper declaring the BTC was "dead".

You will now receive updates fromBreaking News Alert

Breaking News Alert

The obituary was premature, but the attack proved to US officials that they were right to be concerned about the vulnerability of pipelines that snake for hundreds of thousands of kilometres across Europe and North America. National Security Agency experts had been warning the lines could be blown up from a distance, without the bother of conventional weapons. The attack was evidence other nations had the technology to wage a new kind of war, three current and former US officials said.

"The timing really is the significance," said Chris Blask, chairman of the Industrial Control System Information Sharing and Analysis Centre, which works with utilities and pipeline companies. "Stuxnet was discovered in 2010 and this was obviously deployed before that. This is another point on the timeline" in the young history of cyberwar.

US intelligence agencies believe the Russian government was behind the Refahiye explosion, according to two of the people briefed on the investigation. The evidence is circumstantial, they said, based on the possible motive and the level of sophistication. The attackers also left behind a tantalising clue.

Although as many as 60 hours of surveillance video were erased by the hackers, a single infrared camera not connected to the same network captured images of two men with laptop computers walking near the pipeline days before the explosion, according to one of the people, who has reviewed the video. The men wore black military-style uniforms without insignias, similar to the garb worn by special forces troops.

"Given Russia's strategic interest, there will always be the question of whether the country had a hand in it," said Emily Stromquist, an energy analyst for Eurasia Group, a political risk firm based in Washington.

Nikolai Lyaschenko, a spokesman for the Russian embassy in Washington, didn't respond to two emails and a phone call.

Eleven companies - including majority-owner BP, a subsidiary of the State Oil Company of Azerbaijan, Chevron and Norway's Statoil - built the line, which has carried more than 2 billion barrels of crude since opening in 2006.

It was routed south to circumvent Russia, a blow to that country's aims to reassert control over Central Asia, a major pipeline deliberately built outside Russian territory to carry crude from the Caspian.

Traversing strategic, politically unsettled terrain, the line was built to be one of the most secure in the world. The 1.06 metre diameter pipe is buried underground and punctuated by fenced valve stations designed to isolate sections in case of emergency and to contain leaks.

According to investigators, every kilometrewas monitored by sensors. Pressure, oil flow and other critical indicators were fed to a central control room via a wireless monitoring system. In an extra measure, they were also sent by satellite.

The explosion, about 11pm on a warm summer night, was spectacular. Residents described feeling the heat 800 metres away, and patients at a nearby hospital reported hearing a thunderous boom.

Almost immediately, the Kurdistan Workers' Party, or PKK, an armed separatist group in Turkey, claimed credit. It made sense because of the PKK's history of bombing pipelines. The Turkish government's claim of mechanical failure, on the other hand, was widely disputed in media reports. Hilmi Guler, then Turkey's energy minister, said at the time there was no evidence of sabotage. Neither he nor officials at the Energy Ministry responded to requests for comment.

Huseyin Sagir, a spokesman for Botas International Ltd, the state-run company that operates the pipeline in Turkey, said the line's computer systems hadn't been tampered with. "We have never experienced any kind of signal jamming attack or tampering on the communication lines, or computer systems," Mr Sagir said in an email. He didn't respond to questions about what caused the explosion. BP spokesman Toby Odone referred questions to Mr Botas.

The BTC was shut down because of what BP referred to in its 2008 annual report simply as a fire.

The investigators - from Turkey, Britain, Azerbaijan and other countries - went quietly about their business. The first mystery they set out to solve was why the elaborate system in place to detect leaks of oil or a fire didn't work as planned.

Instead of receiving digital alerts from sensors placed along the line, the control room didn't learn about the blast until 40 minutes after it happened, from a security worker who saw the flames, according to a person who worked on the probe.

As investigators followed the trail of the failed alarm system, they found the hackers' point of entry was an unexpected one: the surveillance cameras themselves.

The cameras' communication software had vulnerabilities the hackers used to gain entry and move deep into the internal network, according to the people briefed on the matter.

Once inside, the attackers found a computer running on a Windows operating system that was in charge of the alarm-management network, and placed a malicious program on it. That gave them the ability to sneak back in whenever they wanted.

The central element of the attack was gaining access to the operational controls to increase the pressure without setting off alarms. Because of the line's design, the hackers could manipulate the pressure by cracking into small industrial computers at a few valve stations without having to hack the main control room.

The presence of the attackers at the site could mean the sabotage was a blended attack, using a combination of physical and digital techniques. The super-high pressure may have been enough on its own to create the explosion, according to two of the people familiar with the incident. No evidence of a physical bomb was found.

Having performed extensive reconnaissance on the computer network, the infiltrators tampered with the units used to send alerts about malfunctions and leaks back to the control room. The backup satellite signals failed, which suggested to the investigators that the attackers used sophisticated jamming equipment, according to the people familiar with the probe.

Investigators compared the timestamp on the infrared image of the two people with laptops to data logs that showed the computer system had been probed by an outsider. It was an exact match, according to the people familiar with the investigation.

Years later, BP claimed in documents filed in a legal dispute that it wasn't able to meet shipping contracts after the blast due to "an act of terrorism".

The explosion caused more than 30,000 barrels of oil to spill in an area above a water aquifer and cost BP and its partners $US5 million a day in transit tariffs during the closure, according to communications between BP and its bankers cited in The Oil Road, a book about the pipeline.

Some of the worst damage was felt by the State Oil Fund of the Republic of Azerbaijan, which lost $US1 billion in export revenue while the line was shut down, according to Jamala Aliyeva, a spokeswoman for the fund.

A pipeline bombing may fit the profile of the PKK, which specialises in extortion, drug smuggling and assaults on foreign companies, said Didem Akyel Collinsworth, an Istanbul-based analyst for the International Crisis Group. But she said the PKK doesn't have advanced hacking capabilities. "That's not their modus operandi," she said. "It's always been very physical, very basic insurgency stuff."

US spy agencies probed the BTC blast independently, gathering information from foreign communications intercepts and other sources, according to one of the people familiar with the inquiry. American intelligence officials believe the PKK - which according to leaked State Department cables has received arms and intelligence from Russia - may have arranged in advance with the attackers to take credit, the person said.

The US was interested in more than just motive. The Pentagon at the time was assessing the cyber capabilities of potential rivals, as well as weaknesses in its own defences. Since that attack, both Iran and China have hacked into US pipeline companies and gas utilities, apparently to identify vulnerabilities that could be exploited later.

As tensions over the Ukraine crisis have mounted, Russian cyberspies have been detected planting malware in US systems that deliver critical services like electricity and water, according to John Hultquist, senior manager for cyber espionage threat intelligence at Dallas-based iSight Partners, which first revealed the activity in October.

Russian hackers also targeted sensitive documents related to a NATO summit in September, hitting dozens of computers belonging to the Ukrainian government and others, according to an iSight report.

In the US, "it is only a matter of the 'when,' not the 'if,' that we are going to see something dramatic," Michael Rogers, director of the NSA and commander of the US Cyber Command, told the House intelligence committee on November 20. "I fully expect that during my time as the commander we are going to be tasked to help defend critical infrastructure."

Three days after the BTC blast, Russia went to war with Georgia, and Georgia's then prime minister Nika Gilauri accused Russia of sending the jets to bomb the BTC near the city of Rustavi. The bombs missed their presumed target, some by only a few metres, and the pipeline remained undamaged. The keyboard was the better weapon.